Transportation Security Acquisition Reform Act: TSA Generally Addressed Requirements, but Could Improve Reporting on Security-Related Technology

Fast Facts

Security technologies—such as body scanners and explosives detection systems—are a crucial and often expensive part of TSA's work.

To help ensure that TSA's technology purchases are strategic and efficient, Congress required TSA to justify technology acquisitions costing more than $30 million at least 30 days before awarding a contract.

This particular requirement stems from a 2014 law, but TSA did not submit its first justifications under the law until August 2018. While we found that TSA has generally been consistent with the law's requirements, we also recommended that TSA revise its policies to report more frequently under the law.

Picture of airport passengers going through TSA security screening.

Highlights

What GAO Found

Since 2016, the Transportation Security Administration (TSA) generally addressed Transportation Security Acquisition Reform Act (TSARA) requirements through its policies and procedures for acquisition justifications, baseline requirements, and management of inventory. TSA also, among other actions, submitted a technology investment plan and annual small-business contracting goals reports to Congress as required.

Since December 2014, TSA reported limited security-related technology (SRT) acquisitions to Congress under TSARA, submitting its first report in August 2018. TSARA contains a report and certification provision pursuant to which TSA is to submit information to Congress 30 days prior to the award of a contract for an SRT acquisition exceeding $30 million. Through July 2018, TSA obligated about $1.4 billion on SRT and associated services. TSA officials explained that none of these obligations—including 7 SRT orders, each in excess of $30 million—invoked the report and certification provision because the obligations did not align with TSA's implementation policy, which provides that the $30 million threshold relates to the contract ceiling of the initial SRT contract and not to individual task and delivery orders. Revising TSA's policy to include contracts for services that enhance the capabilities of SRT, including any orders for SRT and associated services in excess of $30 million, would better ensure that Congress has the information it needs to effectively oversee TSA's SRT acquisitions.

TSA has not effectively communicated internally its implementation decisions for what constitutes an SRT under TSARA. TSA officials described to GAO that SRT must be equipment that is public facing, but TSA's policy does not clearly state the parameters of what is considered an SRT. Without clear guidance, TSA staff may be unaware of these parameters and how they apply to future acquisitions under TSARA. For example, TSA acquisition program staff were initially unable to confirm for GAO whether the technologies TSA had acquired were SRTs and thus subject to TSARA. Updating TSA policy to include detailed parameters for what constitutes an SRT would better ensure consistency in applying the act.

Examples of Security-Related Technology

Why GAO Did This Study

Enacted in December 2014, TSARA introduced legislative reforms to promote greater transparency and accountability in TSA's SRT acquisitions.

TSARA contains a provision that GAO submit two reports to Congress on TSA's progress in implementing TSARA. In February 2016, GAO issued the first report that found TSA had taken actions to address TSARA.

This second report examines TSA's (1) progress in addressing TSARA requirements since 2016, (2) reporting to Congress on SRT acquisitions, and (3) internal communication of its implementation decisions. GAO examined TSARA and TSA documents and guidance; analyzed TSA contract data and reports from TSARA's enactment in December 2014 through July 2018 and September 2018, respectively; and interviewed DHS and TSA officials on actions taken to implement TSARA. GAO also conducted interviews with TSA officials on parameters for reporting on SRT acquisitions.

Recommendations

GAO recommends that TSA revise its policies for the report and certification provision of TSARA to include reporting on task and delivery orders and services associated with SRT, and clarify in policy what constitutes an SRT under TSARA. DHS generally concurred with the recommendations and described steps it plans to take to implement them.

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Transportation Security Administration	The TSA Administrator should revise TSA's policy to require that TSA also submit information under TSARA's report and certification provision prior to the award of contracts and blanket purchase agreements for services associated with the operation of security-related technology, such as maintenance and engineering services, that exceed $30 million. (Recommendation 1)	Closed – Implemented In August 2019, in response to our recommendation, TSA finalized a memo clarifying the definition of a security-related technology to include engineering services provided that would result in new capabilities, enhancements of existing capabilities, or an upgrade to an existing operational security-related technology. In January 2020, TSA officials confirmed that the clarified definition of a security-related technology would require that Congress be notified of all security-related technology equipment acquired including any funding obligation that exceeds $30 million. These actions should help provide TSA with reasonable assurance it is providing Congress with the information it needs to effectively oversee TSA's security-related technology acquisitions.
Transportation Security Administration	The TSA Administrator should revise TSA's policy to require that TSA also submit information under TSARA's report and certification provision prior to the issuance of individual task and delivery orders for security-related technology acquisitions that exceed $30 million. (Recommendation 2)	Closed – Implemented In August 2019, in response to our recommendation, TSA finalized a memo clarifying that it is to submit information under TSARA's report and certification provision for security-related technologies and related services that include any funding obligation that exceeds the $30 million threshold for the total contract value. In January 2020, TSA officials clarified that TSA defines "any funding obligation" to include task and delivery orders as noted in our recommendation. This clarification should help provide TSA with reasonable assurance that it is providing Congress with the information it needs to effectively oversee TSA's security-related technology acquisitions.
Transportation Security Administration	The TSA Administrator should clarify and document what constitutes an SRT under TSARA as part of the planned update of TSA's TSARA implementation policy. (Recommendation 3)	Closed – Implemented In September 2019, TSA provided its finalized TSARA implementation plan to include the clarified definition of security related technology (SRT). This definition now includes engineering services that enhance capabilities and specifies that SRTs are those that are public facing or interact with the public. This clarification should provide TSA officials responsible for implementing TSARA with reasonable guidance on what acquisitions require notification to Congress under TSARA.

Full Report

Highlights Page (1 page)

Full Report (45 pages)

GAO Contacts

William Russell

Director

russellw@gao.gov

(202) 512-4841

Office of Public Affairs

Chuck Young

Managing Director

youngc1@gao.gov

(202) 512-4800

Topics

Transportation

Acquisition programsAcquisition reformBlanket purchase agreementsContract awardHomeland securityPolicies and proceduresReporting requirementsTechnology investmentsTransportation securityContract performance